--- # Argo may have server-side-applied cluster FlowSchemas; Helm then fails with "conflict with argocd-controller". - name: Read kyverno-admission-controller FlowSchema (if any) for SSA repair ansible.builtin.command: argv: - kubectl - get - flowschemas.flowcontrol.apiserver.k8s.io - kyverno-admission-controller - --show-managed-fields=true - -o - json environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_kyverno_flowschema_json failed_when: false changed_when: false when: noble_kyverno_repair_argo_ssa_on_flowschema | default(true) | bool - name: Remove kyverno-admission-controller FlowSchema when Argo is a field manager (Helm SSA conflict recovery) ansible.builtin.command: argv: - kubectl - delete - flowschemas.flowcontrol.apiserver.k8s.io - kyverno-admission-controller - --wait=false environment: KUBECONFIG: "{{ noble_kubeconfig }}" when: - noble_kyverno_repair_argo_ssa_on_flowschema | default(true) | bool - not (noble_kyverno_flowschema_json.skipped | default(false)) - noble_kyverno_flowschema_json.rc | default(-1) | int == 0 - (noble_kyverno_delete_kyverno_admission_flowschema_if_present | default(false) | bool) or ("argocd-controller" in (noble_kyverno_flowschema_json.stdout | default(""))) changed_when: true - name: Create Kyverno namespace ansible.builtin.command: argv: - kubectl - apply - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/kyverno/namespace.yaml" environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Install Kyverno operator ansible.builtin.command: argv: - helm - upgrade - --install - kyverno - kyverno/kyverno - -n - kyverno - --version - "3.8.0" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/kyverno/values.yaml" - --force-conflicts - --wait - --timeout - 15m environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true